Re: EAP and NTLM support (fwd)
http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx microsoft appears to be making steps to kill NTLM as it isn't secure On Tue, 23 Nov 2010, Phil Mayers wrote: On 23/11/10 15:43, JR Mayberry wrote: Is there a preferred method for doing EAP (from Wireless infrastructure) to Active Directory for authentication via FreeRADIUS? Or is there an alternative to EAP? Samba domain membership and callout to the ntlm_auth helper binary. It appears that NTLM is being deprecated and Samba is removing support in RedHat 5 Based on what? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and NTLM support (fwd)
Is there a preferred method for doing EAP (from Wireless infrastructure) to Active Directory for authentication via FreeRADIUS? Or is there an alternative to EAP? It appears that NTLM is being deprecated and Samba is removing support in RedHat 5 but NTLM seems to be the current recommended method. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and syslog message changes
Hi, OK - so I'm using an proxy setup and need better logging. Sample messages Jun 23 13:54:59 localhost radiusd[23703]: Login OK: [rmayberr] (from client 0.0.0.0/0 port 1812) Assuming that 0.0.0.0/0 is coming from the clients file. Adding individual clients isn't an option. I want this log to include the Client-IP-Address or NAS-IP-Address instead of the clients file entry. I've tried other options like a perl module that looks at RADIUS attributes, but freeradius doesn't call post_proxy on an Access-Reject, so I can only log authentication accepts... Ideas how to get this accomplished? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap and multiple ldap calls?
I'm not really sure if I'm doing this right, maybe someone can provide
guidance. I have two problems a) how to structure my directory and b) how to do
two lookups in rlm_ldap.
But, effectively, LDAP is our authorization store and I'm proxying RADIUS to an
RSA server for authentication only. We're removing all authorization from RSA.
So, I've got devices in ou=Hosts,dc=blah,dc=com that are following the ipHost
objectClass. Basically, I need a mechanism to put those devices into
'groupOfIpHosts' - which isn't a real concept.
So, I use the 'seeAlso' attribute to reference a group of systems for that
particular ipHost.
Then, I lookup that group and check if the user authenticating is a
uniqueMember in that group.
So, I'm basically doing two ldap lookups. Right now, I'm doing it in an
rlm_perl module which has obvious disadvantages (ldap persistence).
So
a) is there a better way to structure my directory?
b) can I do multiple ldap lookups using rlm_ldap to achieve same end goal?
LDAP calls looks like this now
1) get the hosts group
$mesg = $ldap-search(
base = ou=Hosts,dc=comcast,dc=com,
filter = ((ipHostNumber=$ipaddress)),
attrs = [seeAlso],
);
## returns group membership into $group
2) verify user in group
$mesg = $ldap-search (
base = $group,
filter =
qq{((uniqueMember=uid=$username,ou=users,dc=comcast,dc=com))},
attrs = [uniqueMember],
);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sun SSH and pam_radius_auth
Has anyone seen an issue with Sun SSH and pam_radius_auth where it sends a RADIUS Access-Request packet appearntly during ssh-connection method none? Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: userauth-request for user red service ssh-connection method none Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: attempt 0 failures 0 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: Starting up PAM with username red Nov 10 23:30:06 aaa01 sshd[8702]: [ID 730685 auth.debug] PAM[8702]: pam_start(sshd,red,b6930:cfdc8) - debug = 1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:service) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:user) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:conv) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:tty) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: userauth_banner: sent Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:conv) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 635154 auth.debug] PAM[8702]: pam_authenticate(cfdc8, 1) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 232006 auth.debug] PAM[8702]: load_modules(cfdc8, pam_sm_authenticate)=/usr/lib/security/pam_radius_auth.so.1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 971319 auth.debug] PAM[8702]: load_function: successful load of pam_sm_authenticate Nov 10 23:30:06 aaa01 sshd[8702]: [ID 232006 auth.debug] PAM[8702]: load_modules(cfdc8, pam_sm_authenticate)=/usr/lib/security/pam_unix.so.1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 971319 auth.debug] PAM[8702]: load_function: successful load of pam_sm_authenticate Nov 10 23:30:06 aaa01 sshd[8702]: [ID 338151 auth.debug] PAM[8702]: pam_get_user(cfdc8, cfdc8, NULL) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: Got user name red Nov 10 23:30:06 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: Sending RADIUS request code 1 Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.error] pam_radius_auth: RADIUS server 172.24.43.230 failed to respond Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.error] pam_radius_auth: All RADIUS servers failed to respond. Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
